https://packages.sury.org has untrusted TLS certificate for some IP adresses

[thomaszbz]

Frequently asked questions

• [x] I have read Frequently Asked Questions
• [x] I have looked at the list of the existing issues (including closed issues) and searched if my issue has been already reported
• [x] I have tried to resolve the issue myself and will describe what I did in clear and consise manner

Describe the bug From my ubuntu 18.04 machine with all updates installed, I get a trusted certificate (IPv4 and IPv6):

wget https://packages.sury.org/php/dists/bullseye/
--2023-04-09 13:08:04--  https://packages.sury.org/php/dists/bullseye/
Auflösen des Hostnamens packages.sury.org (packages.sury.org) … 2400:52e0:1e00::865:1, 138.199.37.232
Verbindungsaufbau zu packages.sury.org (packages.sury.org)|2400:52e0:1e00::865:1|:443 … verbunden.
HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
Länge: nicht spezifiziert [text/html]
Wird in »index.html« gespeichert.

index.html              [ <=>                ]     625  --.-KB/s    in 0s    
2023-04-09 13:08:04 (16,7 MB/s) - »index.html« gespeichert [625]

wget --inet4-only https://packages.sury.org/php/dists/bullseye/
--2023-04-09 13:20:07--  https://packages.sury.org/php/dists/bullseye/
Auflösen des Hostnamens packages.sury.org (packages.sury.org) … 138.199.37.231
Verbindungsaufbau zu packages.sury.org (packages.sury.org)|138.199.37.231|:443 … verbunden.
HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
Länge: nicht spezifiziert [text/html]
Wird in »index.html.1« gespeichert.

index.html.1            [ <=>                ]     625  --.-KB/s    in 0s      

2023-04-09 13:20:07 (8,73 MB/s) - »index.html.1« gespeichert [625]

openssl s_client -connect packages.sury.org:443
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = packages.sury.org
verify return:1
---
Certificate chain
 0 s:CN = packages.sury.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFKDCCBBCgAwIBAgISAxJZ6ZrRDxXcTGiRIjcPFvJYMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzAzMjAxODEwMzRaFw0yMzA2MTgxODEwMzNaMBwxGjAYBgNVBAMT
EXBhY2thZ2VzLnN1cnkub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAhEPLXO2LvoUg9If024K+QMg4Z1HAclZRXMP632K6fym384ZM7mRC1wHgthjY
dNYfMlq1hHTApmnyQioUZlM3UA0f9jGC8PZgVOXGwroj3mLu5rzfVlXgp7Mzeime
NI4Lv8eSRYs7UPw0Tr+OH1GuMRApwiiyYIzVlJPLRhBXUGgqw73ggMutf8ToEWRP
WJmIy/qhddvU4FAyQJPbDHtUpZZ5rPxxMro8KlCDvNTtmovqS9gxkl7HVx59COyk
MaIGxoFrIxllR0al9OpFIasOGkJB/KuKhLd+tazx35afGJ/Zu2f4ZFNfrWUkmpcV
eMozsPgsXpq4Zo5OHnNYMXtx2QIDAQABo4ICTDCCAkgwDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBQnU52nS9WQKp5k21rA6xyZKQdBMjAfBgNVHSMEGDAWgBQULrMXt1hW
y65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6
Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iu
b3JnLzAcBgNVHREEFTATghFwYWNrYWdlcy5zdXJ5Lm9yZzBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3ALc++yTf
nE26dfI5xbpY9Gxd/ELPep81xJ4dCYEl7bSZAAABhwBuMM8AAAQDAEgwRgIhALGD
c1RXlXVyYEMi3V6uTg8rgIGGpK+8hVfUVBmGk+SwAiEA4eONofBIqTXljizQMlLm
OZ6Fa9CzutWmMvz2j+TMPyAAdQDoPtDaPvUGNTLnVyi8iWvJA9PL0RFr7Otp4Xd9
bQa9bgAAAYcAbjDFAAAEAwBGMEQCICZK8jp6g1KzngVgcvmk5PpcyP1uoJ2cdbLf
l9dUnI37AiBaKFagPwVGs5tqFBHiY18QbOgZQwcA252ZrvbmY6lP6TANBgkqhkiG
9w0BAQsFAAOCAQEAoGY3vWx97yCOrMqoAFISO++SAfDdEs6EqBgZ5tCzZRVN3ZaA
qgVX69OeuLf1qHECoiYxFQPJr/bBfa8km4vKE5xDuiLxktbdJ9Z8okfx/OnlCYPX
atxW6Si7F/6i8qiyCFLRiFDQBp3oJ7AEnRO6vsPhz8lpfc61m36OrCMh2/AzsSj8
u0WMPHkeOKWAnNjUZ3HxB9SQ2agNWruROSwUPKpTaGo+5azOXSbCcGaR8t7RHshP
smkoZw2ylgb66Zzha5D2Zu6/z9KRn8bXC4QrCmD59N1yU2TWsnR5BuIPHdpYHwSE
tEnx8vdK21SuOfs3ncWYdTigkPJ+WzmmMP4x4Q==
-----END CERTIFICATE-----
subject=CN = packages.sury.org

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4580 bytes and written 399 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 9A3A783C4F761795A5066896A298EC2F9AD433CCAEB25D03BD5586AE16430488
    Session-ID-ctx: 
    Resumption PSK: 0BAF40BEAD584A1947347E0419C76EEAD651C664F428B4C0B286488C31CDCED84F359AC05B7B0A9AC2D8E4035264963A
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 43200 (seconds)
    TLS session ticket:
    0000 - 7d c7 7a 53 5c d9 1e a2-7e 32 07 a2 21 3b be 38   }.zS\...~2..!;.8
    0010 - 9c 38 55 0c 00 2e e9 a1-09 57 91 80 4e 1b 21 5f   .8U......W..N.!_
    0020 - 67 34 75 c6 5a 5b c7 6f-0d b4 84 72 20 45 01 13   g4u.Z[.o...r E..
    0030 - 2c 7b b7 94 6f 4d 46 a2-5e dd 9f d2 af 19 95 c4   ,{..oMF.^.......
    0040 - a8 ac 08 4c 1c 13 9a 96-f3 6c e3 64 0a e1 50 ff   ...L.....l.d..P.
    0050 - 00 1b 44 71 5f d7 79 f7-02 64 bc 85 ab 95 c2 cb   ..Dq_.y..d......
    0060 - 2c bc a4 00 63 a6 42 25-93 fb 96 3c f0 98 21 87   ,...c.B%...<..!.
    0070 - cc 30 5a d6 76 ea ca 9c-c1 31 43 5a 99 64 f5 d0   .0Z.v....1CZ.d..
    0080 - 96 d8 da f3 7c ae 70 88-35 c5 69 c6 97 b0 62 43   ....|.p.5.i...bC
    0090 - 82 91 9c 6a 4a 7c 41 4c-27 56 1f db f3 59 de ae   ...jJ|AL'V...Y..
    00a0 - fe 4e 83 b0 8f 44 b9 70-29 d8 33 e3 23 f4 ff 49   .N...D.p).3.#..I
    00b0 - 10 cb 4e 2e ed 5c a1 71-c8 88 c4 d2 9e fa fe 1b   ..N..\.q........
    00c0 - 22 7f 0c c2 dc 1b bc b0-97 35 a4 74 af b1 f1 84   "........5.t....
    00d0 - 8f 6f bd f8 4d c7 f8 b2-14 08 96 e9 b1 d2 6c 4b   .o..M.........lK
    00e0 - bf 7a 1d d8 10 a9 24 76-1b 71 c1 fc 8f 92 78 7d   .z....$v.q....x}

    Start Time: 1681040256
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 68CF7968C6327D768CA9BB484513C73F34541B0D161DCCC5600C6B4D03155B83
    Session-ID-ctx: 
    Resumption PSK: BF1F50F7B3B0DB780EE32C25CC8AFFB9DDAC45D3792D5B205F55377E83A09822A44BA67F1E5E171DE8BAA1610ED76E81
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 43200 (seconds)
    TLS session ticket:
    0000 - 7d c7 7a 53 5c d9 1e a2-7e 32 07 a2 21 3b be 38   }.zS\...~2..!;.8
    0010 - 0c 00 1f 3c 35 ec 16 66-b8 98 9b 0e ac 5e f5 1c   ...<5..f.....^..
    0020 - 46 87 d7 4b 33 df fd 06-16 06 6c 6d fa 67 3f 0d   F..K3.....lm.g?.
    0030 - 6c e5 2b 68 76 a6 90 61-4b 11 d1 7c f6 a9 af 58   l.+hv..aK..|...X
    0040 - f7 63 70 85 b0 30 4c 4c-49 cc 9a 2d e2 9b f9 21   .cp..0LLI..-...!
    0050 - b6 c4 cf 37 e9 bd eb ae-97 7e 11 55 19 37 ca 19   ...7.....~.U.7..
    0060 - 9c 6a 32 23 c5 ec c9 59-88 7a 21 8a a3 15 14 85   .j2#...Y.z!.....
    0070 - 42 b3 f4 d0 4a 40 e7 7c-40 a6 72 bc e6 42 74 c0   B...J@.|@.r..Bt.
    0080 - cd f9 b1 b4 60 63 cb 7c-02 12 43 f4 c9 38 8d 3e   ....`c.|..C..8.>
    0090 - 95 12 6f b6 dd a5 17 5e-60 6d 58 c8 81 63 1f 85   ..o....^`mX..c..
    00a0 - b7 21 65 ca 62 72 06 74-ab d5 ca 99 5c e7 07 8e   .!e.br.t....\...
    00b0 - bf b0 ca b3 c0 9d 91 05-38 90 06 49 4c ba af 28   ........8..IL..(
    00c0 - ce a2 41 66 58 a4 7e 5e-aa c9 94 f6 a2 fd 66 0f   ..AfX.~^......f.
    00d0 - bd dd 37 e0 92 b7 5a c5-e8 ad 34 32 74 4b d6 1a   ..7...Z...42tK..
    00e0 - 87 9a a9 46 65 68 15 e5-06 bf b3 fa c6 35 b7 df   ...Feh.......5..

    Start Time: 1681040256
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0

From my debian 11.6 server (with other internet provider and other DNS provider), I get a TLS certificate error:

To Reproduce Steps to reproduce the behavior:

wget https://packages.sury.org/php/dists/bullseye/
--2023-04-09 13:06:56--  https://packages.sury.org/php/dists/bullseye/
Resolving packages.sury.org (packages.sury.org)... 138.199.37.226
Connecting to packages.sury.org (packages.sury.org)|138.199.37.226|:443... connected.
The certificate's owner does not match hostname ‘packages.sury.org’

sudo apt-get update
Hit:1 http://security.debian.org/debian-security bullseye-security InRelease
Err:2 https://packages.sury.org/php bullseye InRelease
  Certificate verification failed: The certificate is NOT trusted. The name in the certificate does not match the expected.  Could not handshake: Error in the certificate verification. [IP: 138.199.37.226 443]
Hit:3 http://ftp.de.debian.org/debian bullseye InRelease
Get:4 http://ftp.de.debian.org/debian bullseye-updates InRelease [44.1 kB]
Fetched 44.1 kB in 0s (128 kB/s)    
Reading package lists... Done
W: Failed to fetch https://packages.sury.org/php/dists/bullseye/InRelease  Certificate verification failed: The certificate is NOT trusted. The name in the certificate does not match the expected.  Could not handshake: Error in the certificate verification. [IP: 138.199.37.226 443]
W: Some index files failed to download. They have been ignored, or old ones used instead.

openssl s_client -connect packages.sury.org:443
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.storage.bunnycdn.com
verify return:1
---
Certificate chain
 0 s:CN = *.storage.bunnycdn.com
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGTDCCBTSgAwIBAgIRAMkLOT5/rgaDMFyPzmHTYnMwDQYJKoZIhvcNAQELBQAw
gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0yMjA2MDIwMDAwMDBaFw0yMzA2MDIyMzU5NTlaMCExHzAdBgNVBAMMFiou
c3RvcmFnZS5idW5ueWNkbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDggW9zL5CGP982mKrhcKybw891xGQ6EsH6wG+KljRcPg7uY6uN5qw0Gg0G
4aEM5D8/sHVb5PVz4svuZ454S2X6F2ozRnlqVQ0i3ss1k0miCH6vKDovCOnN3iQo
SGc9AopJVmbN7TQHr06YWF1CMAu7qfuFi7GzCAEu/Ccn1d8zklgDcZnCi62JgnpM
Qqe05UPvJlk9FRcvc5Uxx3YV2qZ4axz5WXLUgkKbxldE55QQDmY3R8zkQ7iLQBOJ
9JQhhqw0t65XqNNkhismMMF0hIm6O3XK3ySMCwHPlUzi9D5RPdkOnPl52qhroN8W
pQamYrRPi9PxXCf1sUagKY3DnP19AgMBAAGjggMOMIIDCjAfBgNVHSMEGDAWgBSN
jF7EVK2K4Xfpm/mbBeG4AY1h4TAdBgNVHQ4EFgQUulKGmNtVHbVoMyU7pTc/GX/I
iYQwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGyMQECAgcwJTAjBggr
BgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQIBMIGEBggr
BgEFBQcBAQR4MHYwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuc2VjdGlnby5jb20v
U2VjdGlnb1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwIwYI
KwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMDcGA1UdEQQwMC6CFiou
c3RvcmFnZS5idW5ueWNkbi5jb22CFHN0b3JhZ2UuYnVubnljZG4uY29tMIIBfgYK
KwYBBAHWeQIEAgSCAW4EggFqAWgAdgCt9776fP8QyIudPZwePhhqtGcpXc+xDCTK
hYY069yCigAAAYEhwaP6AAAEAwBHMEUCIE4PPeph8Qm+cG9XTsjEQztlBX5iKdRP
lyYt20JVCmzFAiEArlQCGmX8NaksTxft/Q5twfd3N/Df/WRfj/Vo/0LbqaoAdQB6
MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAYEhwaPOAAAEAwBGMEQC
IGMYGhi4cxori/Ov4q1E17bPE67Ct5VeYQs0kEEPTX+7AiB48Lc7FQElieCI07If
rW1T8MFAJC6usMnr7VT5GyK2owB3AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nh
d31tBr1uAAABgSHBo5AAAAQDAEgwRgIhAJe0cms1JSGKX9WW6njSwREkWnEQ7zcp
+SBnVDbbSlXjAiEA8KFr6bwtmFvfv+ru6kv3dekJXFB2Cs0CKjq3/AEOooQwDQYJ
KoZIhvcNAQELBQADggEBAMTEILENoYhlTboFMmOq+VocgLuEGl3vKiL30j/uhNHz
tS2VwpSduQeXlF+Ik9ffbx7TY9dpv6+cioCzoCC7DRlALwjwoyAmtbdJlZWyGyAq
vcU7a1x1jLUFUDZQcMmAvX/I2uQeNI4kqZn8injEv3B2Z/4hFxN+Mns3cXF96wwO
hXlJwttxnhuKoiO4X/uSZnqXATzoXQGiQ01so3lPnFalalTgh0ipIccmfkRBGV7O
dG4is5jl6R29a1PE3BvGAW+pURU31WemhKCVhJmcU7m+Md6JYEGXaO78d0s6w8fz
bEgynumCMWawT7D8+Ih9RPVeGVi9VNlZ+hXUYxkO51g=
-----END CERTIFICATE-----
subject=CN = *.storage.bunnycdn.com

issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5263 bytes and written 394 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 2F376FDE602AF0A2E5D701972293A758659A5170FCCBD6323859C01CAEF1A803
    Session-ID-ctx: 
    Master-Key: 163A5C0A8F19A0042BFA6FC25E2D491610B3E772BF356645E1328137AD2EB40F79DD25F7F13E622D9855D06CF4A1FA9B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - fc 48 37 06 3e 6a 1d a9-72 be 39 63 d9 f2 4a ad   .H7.>j..r.9c..J.
    0010 - 30 1f fb 2d f1 3b 23 fd-11 af 0d 1b c5 7f 13 84   0..-.;#.........
    0020 - 3e d6 4a e7 ba 47 a2 7b-18 bc ea 0b bc 1e a7 60   >.J..G.{.......`
    0030 - 43 80 da 1a 05 c2 48 84-e7 f9 2e 1f b2 93 0a 74   C.....H........t
    0040 - b2 47 65 f0 eb ee 3e ea-6a 85 4d 82 11 bb dd ff   .Ge...>.j.M.....
    0050 - bb c3 c8 3d 7c 2d c7 f6-d2 d3 98 5d 76 8c 0e 4d   ...=|-.....]v..M
    0060 - bc 9a 4f 4b 36 0c 1e 67-9d 0f 9c ce cf 98 69 60   ..OK6..g......i`
    0070 - 34 92 7b 2f 8d ea 5f 29-b7 4d 6e ff cb cc 0e d9   4.{/.._).Mn.....
    0080 - 0b 54 bf 05 a0 6b e0 8a-1b bd f2 dc 29 ca 58 39   .T...k......).X9
    0090 - 3e 28 bb e7 61 a3 3c b7-dd 16 bb 8a 3d 9b 13 b2   >(..a.<.....=...
    00a0 - 77 29 95 b6 08 7d b4 65-ed 40 5a f3 96 26 f2 8d   w)...}.e.@Z..&..
    00b0 - 76 7b 68 57 ad 7d e6 0d-a9 a5 25 ae 66 dc be c0   v{hW.}....%.f...
    00c0 - e0 4c c9 04 ed 7c b4 12-48 af bf e8 6e 17 d1 32   .L...|..H...n..2

    Start Time: 1681039805
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

openssl s_client -connect 138.199.37.226:443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.storage.bunnycdn.com
verify return:1
---
Certificate chain
 0 s:CN = *.storage.bunnycdn.com
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGTDCCBTSgAwIBAgIRAMkLOT5/rgaDMFyPzmHTYnMwDQYJKoZIhvcNAQELBQAw
gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0yMjA2MDIwMDAwMDBaFw0yMzA2MDIyMzU5NTlaMCExHzAdBgNVBAMMFiou
c3RvcmFnZS5idW5ueWNkbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDggW9zL5CGP982mKrhcKybw891xGQ6EsH6wG+KljRcPg7uY6uN5qw0Gg0G
4aEM5D8/sHVb5PVz4svuZ454S2X6F2ozRnlqVQ0i3ss1k0miCH6vKDovCOnN3iQo
SGc9AopJVmbN7TQHr06YWF1CMAu7qfuFi7GzCAEu/Ccn1d8zklgDcZnCi62JgnpM
Qqe05UPvJlk9FRcvc5Uxx3YV2qZ4axz5WXLUgkKbxldE55QQDmY3R8zkQ7iLQBOJ
9JQhhqw0t65XqNNkhismMMF0hIm6O3XK3ySMCwHPlUzi9D5RPdkOnPl52qhroN8W
pQamYrRPi9PxXCf1sUagKY3DnP19AgMBAAGjggMOMIIDCjAfBgNVHSMEGDAWgBSN
jF7EVK2K4Xfpm/mbBeG4AY1h4TAdBgNVHQ4EFgQUulKGmNtVHbVoMyU7pTc/GX/I
iYQwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGyMQECAgcwJTAjBggr
BgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQIBMIGEBggr
BgEFBQcBAQR4MHYwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuc2VjdGlnby5jb20v
U2VjdGlnb1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwIwYI
KwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMDcGA1UdEQQwMC6CFiou
c3RvcmFnZS5idW5ueWNkbi5jb22CFHN0b3JhZ2UuYnVubnljZG4uY29tMIIBfgYK
KwYBBAHWeQIEAgSCAW4EggFqAWgAdgCt9776fP8QyIudPZwePhhqtGcpXc+xDCTK
hYY069yCigAAAYEhwaP6AAAEAwBHMEUCIE4PPeph8Qm+cG9XTsjEQztlBX5iKdRP
lyYt20JVCmzFAiEArlQCGmX8NaksTxft/Q5twfd3N/Df/WRfj/Vo/0LbqaoAdQB6
MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAYEhwaPOAAAEAwBGMEQC
IGMYGhi4cxori/Ov4q1E17bPE67Ct5VeYQs0kEEPTX+7AiB48Lc7FQElieCI07If
rW1T8MFAJC6usMnr7VT5GyK2owB3AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nh
d31tBr1uAAABgSHBo5AAAAQDAEgwRgIhAJe0cms1JSGKX9WW6njSwREkWnEQ7zcp
+SBnVDbbSlXjAiEA8KFr6bwtmFvfv+ru6kv3dekJXFB2Cs0CKjq3/AEOooQwDQYJ
KoZIhvcNAQELBQADggEBAMTEILENoYhlTboFMmOq+VocgLuEGl3vKiL30j/uhNHz
tS2VwpSduQeXlF+Ik9ffbx7TY9dpv6+cioCzoCC7DRlALwjwoyAmtbdJlZWyGyAq
vcU7a1x1jLUFUDZQcMmAvX/I2uQeNI4kqZn8injEv3B2Z/4hFxN+Mns3cXF96wwO
hXlJwttxnhuKoiO4X/uSZnqXATzoXQGiQ01so3lPnFalalTgh0ipIccmfkRBGV7O
dG4is5jl6R29a1PE3BvGAW+pURU31WemhKCVhJmcU7m+Md6JYEGXaO78d0s6w8fz
bEgynumCMWawT7D8+Ih9RPVeGVi9VNlZ+hXUYxkO51g=
-----END CERTIFICATE-----
subject=CN = *.storage.bunnycdn.com

issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5227 bytes and written 368 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: D82EFA2169E6659E18C19BB9486797C455BEF68C3C8886EB60E04E4426F708B2
    Session-ID-ctx: 
    Master-Key: 452B3D6252D0E05D84A48FE12D576956A4DAE9DC0CCEB0BE96AA10D073EDF188DF2493C23D7323178842B025060D00A3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - fc 48 37 06 3e 6a 1d a9-72 be 39 63 d9 f2 4a ad   .H7.>j..r.9c..J.
    0010 - 03 69 c7 19 c9 c3 04 b8-d5 6a cb 3c 54 f6 b9 07   .i.......j.<T...
    0020 - e5 89 f9 24 1d 84 fe 47-09 c8 51 2a b6 5a 56 3e   ...$...G..Q*.ZV>
    0030 - 0a f4 56 ff fe 98 b8 b4-09 a5 f7 b5 84 e7 27 09   ..V...........'.
    0040 - c6 75 13 5b bc 2b 9b da-0b 0b a6 4e 4d 2e 40 3a   .u.[.+.....NM.@:
    0050 - 93 35 6d 78 c4 da 65 ea-e2 bd 87 f7 91 ec b3 80   .5mx..e.........
    0060 - 08 2c d5 08 fe 7d 3d d5-c6 72 e9 bf 87 b7 58 67   .,...}=..r....Xg
    0070 - a4 f9 0e 13 91 fa 43 5b-9f 3d e3 0e 94 fb 45 98   ......C[.=....E.
    0080 - e0 99 1b a1 3f c5 c6 95-de 15 53 80 6d 1b 52 11   ....?.....S.m.R.
    0090 - d5 38 06 33 d2 c7 d9 18-ae 1e 8b ad d3 31 ce 53   .8.3.........1.S
    00a0 - da bf d4 e9 cb ad ce 08-0f 13 8c 62 90 22 aa 66   ...........b.".f

    Start Time: 1681039709
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes

Your understanding of what is happening For IP 138.199.37.226, a different IP adress is used. For this IP, I get the wrong certificate

depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
depth=0 CN = *.storage.bunnycdn.com

instead of

depth=1 C = US, O = Let's Encrypt, CN = R3
depth=0 CN = packages.sury.org

This should be reconfigured server-side.

SNI is not used for 143.244.50.88 (another IP!), according to https://www.ssllabs.com/ssltest/analyze.html?d=packages.sury.org&s=143.244.50.88&hideResults=on

What steps did you take to resolve issue yourself before reporting it here Nothing, must be reconfigured server-side

Expected behavior All (!) IP adresses in use for deb.sury.org should respond with a TLS certificate which is valid for deb.sury.org.

Distribution (please complete the following information):

• OS: Debian 11.6
• Architecture: amd64
• Repository: packages.sury.org

Package(s) (please complete the following information): php

Additional context Related (but this reads as if the Let's Encrypt CA certificate has not been installed):

• Older discussion https://github.com/oerdnj/deb.sury.org/discussions/1900
• The original issue got closed back then: https://github.com/oerdnj/deb.sury.org/issues/1899

[oerdnj]

What are the full HTTP headers for the non-functional server?

And what DNS server is returning 138.199.37.226 for packages.sury.org?

[oerdnj]

I’m pretty much sure you should not be getting this IP address from the DNS.

[thomaszbz]

http headers:

curl --insecure -v https://packages.sury.org
*   Trying 138.199.37.226:443...
* Connected to packages.sury.org (138.199.37.226) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.storage.bunnycdn.com
*  start date: Jun  2 00:00:00 2022 GMT
*  expire date: Jun  2 23:59:59 2023 GMT
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5620613672e0)
> GET / HTTP/2
> Host: packages.sury.org
> user-agent: curl/7.74.0
> accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200 
< server: nginx
< date: Sun, 09 Apr 2023 12:13:39 GMT
< content-type: text/html
< access-control-allow-headers: AccessKey, Content-Type
< access-control-allow-methods: GET, DELETE, POST, PUT, DESCRIBE
< access-control-allow-origin: *

[thomaszbz]

My hosting provider is netcup, by using their DNS, I get similar IP adresses. Source: https://www.netcup-wiki.de/wiki/Nameserver

dig @2a03:4000:8000::fce6 packages.sury.org

; <<>> DiG 9.16.37-Debian <<>> @2a03:4000:8000::fce6 packages.sury.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65184
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;packages.sury.org.     IN  A

;; ANSWER SECTION:
packages.sury.org.  1277    IN  CNAME   debsuryorg.b-cdn.net.
debsuryorg.b-cdn.net.   34  IN  A   138.199.37.230

;; Query time: 4 msec
;; SERVER: 2a03:4000:8000::fce6#53(2a03:4000:8000::fce6)
;; WHEN: Sun Apr 09 14:20:02 CEST 2023
;; MSG SIZE  rcvd: 96

openssl s_client -connect 138.199.37.230:443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.b-cdn.net
verify return:1
---
Certificate chain
 0 s:CN = *.b-cdn.net
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGKzCCBROgAwIBAgIRAN3tSLE+HqA5g+gzqyw17wcwDQYJKoZIhvcNAQELBQAw
gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0yMjExMDcwMDAwMDBaFw0yMzExMTEyMzU5NTlaMBYxFDASBgNVBAMMCyou
Yi1jZG4ubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoFoCscsM
rUA9wzdIN9JFKMencQVrlKbUjF+dro8SlTDkD33X4yjOqWizQsEP2lvZz+xSwJlQ
riGA5GeFucZnxX55oqkBw4krY/d++nZD1CtCYnd2ziMaQbE3lWfM/IWs5MSayN2f
hmrwXOFV2fI8bqWualMCU3JZVM6TzOTGtnyl6r/MqUBlPSzGTfpAZyqGogtlycpb
o9ok7Cill6jsFbuvCDEV8l1pUBRGfcw44XkYm06YYGaq8mfKDs4XdPm7i8BERxR2
SH+Al/cchdLrp5sBvZ1G7PITbPjBOe5UD+HYEgcEt6aOYrsUtbarrAcz1D7BM5Uw
doYpQGgco8/o6QIDAQABo4IC+DCCAvQwHwYDVR0jBBgwFoAUjYxexFStiuF36Zv5
mwXhuAGNYeEwHQYDVR0OBBYEFHJkQS6GBEfQeyghp3FIDAmA3v+OMA4GA1UdDwEB
/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgIHMCUwIwYIKwYBBQUHAgEWF2h0
dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBhAYIKwYBBQUHAQEEeDB2
ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29SU0FE
b21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCMGCCsGAQUFBzABhhdo
dHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAhBgNVHREEGjAYggsqLmItY2RuLm5ldIIJ
Yi1jZG4ubmV0MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdQCt9776fP8QyIud
PZwePhhqtGcpXc+xDCTKhYY069yCigAAAYRQdIa2AAAEAwBGMEQCICFe90uotYIH
X19Vt7E86/leb9RL4iyy0VvQR16voJvQAiBMnLdp2JZacPoeBnOH2JOk6hO487X5
+TYKlDCCe8InygB2AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAAB
hFB0hr0AAAQDAEcwRQIgSkjQDZ7/tHLJnR9X1nPeCw+bF0+i7xryVX7RvHjX/rkC
IQCbG77unfPxSYPcSN/Vmxq8s+qnS+AgO5ozmedodc5AYgB3AOg+0No+9QY1MudX
KLyJa8kD08vREWvs62nhd31tBr1uAAABhFB0hpgAAAQDAEgwRgIhAMZaoQj2W+6l
wOn2squcKG6rI6FbA6HdddiSax2Y27G+AiEAzvFzIMv8Onwt+FVg/lNd6nS3w7B7
bhLpABgHsvHKbxUwDQYJKoZIhvcNAQELBQADggEBAHB+55wCUJ5rVOgILUh27M8r
Y+Vs7rpT2XXMnF9Q1Mx71Aq8CdILqi9JEUF9j5bTR91Mm3oLarQzu4fyOmYlzxa0
6E+SYGW43HhfGZNr2k6ZU3y//zx/x8ZfIBjo25AGevZhHPts+HRyjtYaJgYm82W3
jK5fn579LKbm2cS0ULv4Wh6jNQlbpEFwqu56RIwbe05rLrfm4yVqk9OhaHBqXRon
5PWybWAskLxk1m+AT5ixF3Db3Z+luVd8S/VLKwE2N8ecQZ/VW2GUIul89I1OqJI7
GuOl5CnvIiYWFmPwCyBN5eUqk2zpywQiRFLX6DEoNXw99LDODT1to7KqS91hqds=
-----END CERTIFICATE-----
subject=CN = *.b-cdn.net

issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5121 bytes and written 363 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 6F3D988DAF860A5E94E607AE9FA2C658B5CF4FE4F8C1A9FD2FC60F2FCFC7A715
    Session-ID-ctx: 
    Resumption PSK: 6FAB1CCF96441CDAB3B078E04AE78F19CC444933983A487E37B699AB71E35BB04945C8BEA9F29B004856FC4CF1882C40
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 43200 (seconds)
    TLS session ticket:
    0000 - f5 a1 de c3 10 78 c4 67-d5 67 a7 a5 58 8f c8 62   .....x.g.g..X..b
    0010 - 8c 75 c0 5e ce af 02 8e-af b6 c4 c5 28 05 0a 43   .u.^........(..C
    0020 - c7 d7 15 cf cd cc 66 18-b2 93 b6 c2 cf 0b 2e 96   ......f.........
    0030 - b3 a1 21 ed d7 bd 7a c9-94 77 42 54 71 e0 1f ca   ..!...z..wBTq...
    0040 - 2b 1b d6 9c 8e 5b a3 ad-5d e9 af b0 97 f3 69 b4   +....[..].....i.
    0050 - aa 05 17 d6 d4 fe 00 b5-97 25 44 f1 ce 34 f6 f0   .........%D..4..
    0060 - 80 9b 39 c4 9c 38 49 b2-bc 15 b3 a6 17 07 dd 7b   ..9..8I........{
    0070 - 5f d3 98 89 06 b1 25 23-15 a4 63 2e 52 67 d9 d8   _.....%#..c.Rg..
    0080 - 8b 8e 98 b5 54 5f a8 1d-6c 20 a4 1f e9 b3 62 bb   ....T_..l ....b.
    0090 - d2 8f 43 8b 86 d8 2e 11-59 22 2d 60 af 55 9c 25   ..C.....Y"-`.U.%
    00a0 - f4 b2 70 c7 a2 47 6e e5-11 5c 31 4f 37 93 69 5b   ..p..Gn..\1O7.i[
    00b0 - 0c de b8 5e ee 12 db ae-e1 63 dc 09 8d 36 8e 9d   ...^.....c...6..
    00c0 - 09 08 c1 40 14 cc 73 12-b5 a0 7c 94 b1 6b f8 cb   ...@..s...|..k..
    00d0 - d5 f8 b0 78 66 76 fb fb-88 a3 50 fb ad cd cf fb   ...xfv....P.....

    Start Time: 1681043137
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 9341DE53534F093E82639506E4A096689232FF54D25E9EF97D973752E1D56320
    Session-ID-ctx: 
    Resumption PSK: BDDCFEB494C84AF5D503CDEA4738133FBF9FCDC6351799EAB5BD407A1BABF8A253030AF63F5BC9542E3042DFD95D21D0
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 43200 (seconds)
    TLS session ticket:
    0000 - f5 a1 de c3 10 78 c4 67-d5 67 a7 a5 58 8f c8 62   .....x.g.g..X..b
    0010 - 48 5e 08 9c b2 24 1f e7-02 14 c2 cf 7e aa b2 90   H^...$......~...
    0020 - 67 bd 4b 59 d9 e9 c3 9a-c3 87 73 0f 26 b6 4a cd   g.KY......s.&.J.
    0030 - 76 07 88 e3 de 09 40 36-06 f9 1b c4 c2 91 2f 69   v.....@6....../i
    0040 - 88 22 a3 96 97 93 4d ca-a1 11 4a ca e3 c8 80 43   ."....M...J....C
    0050 - 2d 73 87 c7 de 7e d3 e0-fa 60 3d 1a e5 6b b6 aa   -s...~...`=..k..
    0060 - 1d dc b8 bb 99 5e 1c 1e-23 70 f9 f9 46 b0 72 e1   .....^..#p..F.r.
    0070 - ae b6 5b ed 0a 6d 5a ee-87 01 2e 78 c5 9c 1e 80   ..[..mZ....x....
    0080 - f9 cd 23 4b eb 1a 4e 11-4a b1 52 41 15 70 6a aa   ..#K..N.J.RA.pj.
    0090 - c1 37 8c 0b 56 64 2c 12-a1 dd b2 96 3f 5f 2b c0   .7..Vd,.....?_+.
    00a0 - 37 e4 be 1d 1d ef d2 7a-3d 15 fd 58 b8 0c d5 f3   7......z=..X....
    00b0 - fb 40 6c 59 5c e7 26 5d-35 4d 01 a0 5a 33 62 08   .@lY\.&]5M..Z3b.
    00c0 - a1 f4 8b 52 04 cb ce 1c-ac c9 97 a5 ac 12 0c 3c   ...R...........<
    00d0 - 3e b7 8f 56 2d f3 00 4e-cb 6a d1 d8 1d 84 7c f0   >..V-..N.j....|.

    Start Time: 1681043137
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---

It's the same pattern for 138.199.37.230:

depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
depth=0 CN = *.b-cdn.net

Is there some IP adress rotation in place? Maybe a changed IP adress has not been distributed via DNS all over the place when the server with the old IP is already unprovisioned (and TLS certificate replaced) server-side.

[oerdnj]

openssl s_client -connect 138.199.37.230:443 this is wrong and proves nothing, you need to use SNI.

And that’s different IP address than you are reporting. Where are you getting that IP address (138.199.37.226), if not from DNS?

[thomaszbz]

The server uses three DNS servers, two of them are netcup DNS servers, one of them is google DNS server.

cat /etc/resolv.conf 
# NOTE: the libc resolver may not support more than 3 nameservers.
nameserver 46.38.252.230
nameserver 8.8.8.8
nameserver 2a03:4000:8000::fce6
# nameserver 2a03:4000:0:1::e1e6

dig @46.38.252.230 packages.sury.org

; <<>> DiG 9.16.37-Debian <<>> @46.38.252.230 packages.sury.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47107
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;packages.sury.org.     IN  A

;; ANSWER SECTION:
packages.sury.org.  114 IN  CNAME   debsuryorg.b-cdn.net.
debsuryorg.b-cdn.net.   35  IN  A   138.199.37.232

;; Query time: 12 msec
;; SERVER: 46.38.252.230#53(46.38.252.230)
;; WHEN: Sun Apr 09 14:39:25 CEST 2023
;; MSG SIZE  rcvd: 96

dig @8.8.8.8 packages.sury.org

; <<>> DiG 9.16.37-Debian <<>> @8.8.8.8 packages.sury.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34945
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;packages.sury.org.     IN  A

;; ANSWER SECTION:
packages.sury.org.  3135    IN  CNAME   debsuryorg.b-cdn.net.
debsuryorg.b-cdn.net.   35  IN  A   169.150.247.35

;; Query time: 4 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 09 14:41:02 CEST 2023
;; MSG SIZE  rcvd: 96

dig @2a03:4000:8000::fce6 packages.sury.org

; <<>> DiG 9.16.37-Debian <<>> @2a03:4000:8000::fce6 packages.sury.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46232
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;packages.sury.org.     IN  A

;; ANSWER SECTION:
packages.sury.org.  3577    IN  CNAME   debsuryorg.b-cdn.net.
debsuryorg.b-cdn.net.   12  IN  A   138.199.37.231

;; Query time: 0 msec
;; SERVER: 2a03:4000:8000::fce6#53(2a03:4000:8000::fce6)
;; WHEN: Sun Apr 09 14:41:47 CEST 2023
;; MSG SIZE  rcvd: 96

I first thought that the system somehow managed to cache an earlier DNS response from one of the servers, but it's not. Instead, I had an old entry in /etc/hosts which I did not think about:

cat /etc/hosts
[...]
138.199.37.226 packages.sury.org

I removed the entry, and now everything is working fine again (server name now got resolved to 138.199.36.10).

My fault, sorry for filing this issue. Thanks for this comment ("Where are you getting that IP address, if not from DNS?"), it pointed me directly to /etc/hosts.

[oerdnj]

Thanks for following through and admitting the real cause. Appreciated!